HeartBleed causing serious threats to web services security

HeartBleed is creating a much of panic around the world these days and even though we have a patch, it seems like the bug has other associated vulnerabilities. The HeartBleed, which is a bug in OpenSSL, is being exploited by a number of malicious hackers to hijack private sessions and the VPNs. HeartBleed, which was disclosed by some security researchers a few weeks ago, allows an attacker to steal and gain access to the encrypted traffic being transferred in between a server and the client.

The U.S. government had issued a warning to those people who have accounts on the Obama Care health law’s website and are being asked to change their passwords. Although senior officials denied to have a compromise, they said, “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”

The Homeland Security Department is now currently watching the government’s website to mitigate any of the risks due the HeartBleed. Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications said, “We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems, And we will continue to adapt our response if we learn about additional issues created by the vulnerability.”

While on the other end an anonymous hacker was able to compromise the integrity of an unnamed company. The company, which provides a secure communication modes, like VPN, for different organization and other companies, was using the infected version of the OpenSSL. Unlike the other known ways, this time the HeartBleed bug was exploited with a different method to gain the access of the encryption keys stored at the server instead the session keys of an user.

The attack produced by this malicious hacker not only allowed it to bypass the multi factor authentication system, but also the mechanism that checks genuineness of the IPs. The mechanism checks whether the IPs accessing the VPN belongs to the company that owns it or not.

Unlike one that allows an attacker to gain the session keys, this attack left some traces. Washington D.C.-based security company Mandiant, who discovered the attack, said “The exploit method was identified and confirmed by analyzing two sources of information, IDS signatures and VPN logs. The victim organization implemented a set of signatures to identify Heartbleed network activity.” The IPs logged in sometimes were truly distinct from one which was of the company.

We believe that the this method is just one of the endless vulnerabilities HeartBleed has, the only possible solution to it is to upgrade and re-compile. But would that be enough, we may want to ask you.